From bdd288e3c464683ede8b22e20b4359083ef81fd1 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Tue, 30 Jan 2024 14:53:03 +0100 Subject: [PATCH] Bug 35941: Limit club list to those from the logged in user clubs-tab get the patron's id from the parameter. At the OPAC we must use the one from the logged in user, to prevent leak to other users Test plan: Have 2 clubs: A, B Enroll to A with patron borrowernumber=1 Enroll to B with patron borrowernumber=2 Log in with patron 1 and hit: http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=1 => OK Now hit http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=2 => oops Apply this patch, try again. The "borrowernumber" parameter is no longer used to fetch the club list. Signed-off-by: Kyle M Hall Signed-off-by: Martin Renvoize Signed-off-by: Wainui Witika-Park --- .../opac-tmpl/bootstrap/en/modules/clubs/clubs-tab.tt | 8 ++++---- .../opac-tmpl/bootstrap/en/modules/clubs/enroll.tt | 3 +-- opac/clubs/clubs-tab.pl | 10 ++++------ opac/clubs/enroll.pl | 8 ++------ 4 files changed, 11 insertions(+), 18 deletions(-) diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/clubs/clubs-tab.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/clubs/clubs-tab.tt index 4358d097a3..5c0364ffb2 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/clubs/clubs-tab.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/clubs/clubs-tab.tt @@ -55,8 +55,8 @@ [% c.name | html %] [% c.description | html %] - [% IF !c.club_template.is_email_required || ( c.club_template.is_email_required && borrower.first_valid_email_address ) %] - [% ELSE %] @@ -72,7 +72,7 @@